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1  Introduction 


Milner’s  CCS  [18],  [19]  and  Hoare’s  CSP  [16],  [17]  share  the  premise  that  the  meaning  of 
a  process  is  fully  determined  by  a  synchronization  tree ,  namely,  a  rooted,  unordered  tree 
whose  edges  are  labeled  with  symbols  denoting  basic  actions  or  events.  These  trees  are 
typically  specified  by  a  Structured  Operational  Semantics  (SOS)  in  the  style  of  [23]  or  by 
some  other  effective  description,  and  so  are  in  fact  recursively  enumerable  trees.  Both  the¬ 
ories  further  agree  that  synchronization  trees  are  an  overspecification  of  process  behavior, 
and  certain  distinct  trees  must  be  regarded  as  equivalent  processes.  The  notable  difference 
in  the  theories  is  that  bisimulation  yields  finer  distinctions  among  synchronization  trees. 

In  CSP,  process  distinctions  can  be  understood  as  based  on  observing  traces ,  namely, 
maximal  sequences  of  visible  actions  performed  by  a  process.  Two  trees  are  trace  equivalent 
iff  they  have  the  same  set  of  traces.  Given  any  set  of  operations  on  trees,  trace  congruence 
is  defined  to  be  the  coarsest  congruence  with  respect  to  the  operations  which  refines  trace 
equivalence.  Thus,  two  CSP  processes  are  distinguished  iff  each  can  be  used  in  a  single  CSP 
context  which  yields  a  different  set  of  traces  depending  on  which  of  the  two  processes  is 
used.  This  explanation  of  when  two  synchronization  trees  are  to  be  identified  is  thoroughly 
elaborated  in  Hennessy  and  DeNicola’s  test  equivalence  system  [10].  On  the  other  hand, 
two  CCS  processes  are  distinguished  according  to  an  “interactive”  game-like  protocol  called 
bisimulation.  Indistinguishable  CCS  processes  are  said  to  be  bisimular. 


a(b+c)  ak+ac 


Figure  1:  TVoce  equivalent  but  not  trace  congruent. 

A  standard  example  is  the  pair  of  trees  (Figure  1)  a(b  +  c)  and  (ab  +  ac)  which  are  trace 
equivalent,  but  not  CSP  trace  congruent,  viz.,  in  CSP  (and  also  CCS)  they  are  distinct 
processes.  Similarly,  the  trees  of  (Figure  2) 

(abc  +  abd)  and  a(bc  4-  bd)  (1) 

are  CSP  trace  congruent  but  not  bisimular,  viz.,  equal  in  CSP  but  distinct  in  CCS  [24],  [6]. 
The  trace-based  approach  is  developed  in  [7],  [17],  [21],  [10].  Bisimulation-based  systems 
include  [19],  [20],  [2],  [4],  [5],  [3]. 
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b/\b 


d  e  \d 


abc+abd  a(bc+bd ) 

Figure  2:  CSP  trace  congruent  but  not  biaimular. 

The  idea  of  an  “silent”  (aka  “hidden”  or  “r-”)  action  plays  an  important  role  in  both  CSP 
snd  CCS  theories,  but  creates  significant  technical  problems.  In  this  paper  we  assume  for 
simplicity  that  there  is  no  silent  action.  We  expect  that  our  conclusions  will  generally 
apply  when  silent  actions  can  occur,  but  this  remains  to  be  verified. 

In  the  absence  of  silent  action,  bisimulation  is  known  to  be  a  congruence  with  respect  to 
all  the  operations  of  CSP/CCS,  and  Milner  has  argued  extensively  that  in  this  case  bisim¬ 
ulation  yields  the  finest  appropriate  notion  of  the  behavior  of  concurrent  processes  based 
on  synchronization  trees.  Although  there  is  some  ground  for  refining  synchronization  trees 
further  (c/.  [8]),  we  shall  accept  the  thesis  that  bisimular  trees  are  not  to  be  distinguished. 

Thus,  we  admit  below  only  operations  with  respect  to  which  bisimulation  remains  a  con¬ 
gruence.  Since  bisimular  trees  are  easily  seen  to  be  trace  equivalent,  it  follows  in  this  setting 
that  bisimulation  refines  any  trace  congruence.  Our  results  focus  on  the  converse  question 
of  whether  further  identifications  should  be  made,  *.e.,  whether  nonbisimular  processes  are 
truly  distinguishable  in  their  observable  behavior. 

We  noted  that  a  pair  of  nonbisimular  trees  Ti,Tj  can  be  distinguished  by  an  “interactive” 
protocol.  The  protocol  itself  can  be  thought  of  a  new  process  P[7\,  T/\.  One  might  suppose 
that  in  a  general  concurrent  programming  language,  it  would  be  possible  to  define  the  new 
process  too,  and  that  success  or  failure  of  P  running  on  a  pair  T\ ,  T2  would  be  easily  visible 
to  an  observer  who  could  observe  traces. 

However,  CSP  and  CCS  operations  are  very  similar,  and  the  example  of  Figure  2  above 
shows  that  bisimulation  is  a  strictly  finer  equivalence  than  trace  congruence  with  respect 

to  CSP/CCS  operations.  It  follows  that  the  contexts  P  distinguishing  nonbisimular  pro- _ 

cesses  by  their  traces  are  not  definable  using  the  standard  CSP/CCS  operations ;  if  they  r _ 

were,  nonbisimularity  could  be  reduced  to  trace  distinguishability.  Namely,  any  pair  of  S? 
nonbisimular  trees  T\ ,  T2  would  also  be  trace  distinguishable  by  plugging  them  in  for  X  Cl 

in  P\X,  Ti]  and  observing  the  “success”  trace  when  T\  is  plugged  in,  but  not  when  Ti  is  ^ 

plugged  in.  _ 

Thus,  we  maintain  that  implicit  in  concurrent  process  theory  based  on  bisimulation  is  an-  - 
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a(be-hU)  *(bc+bd)  +  abc 
Figure  3:  GSOS  congruent  but  not  bisimular. 


other  “interactive”  kind  of  metaprocess,  which  the  formalisms  of  CSP/CCS  are  inadequate 
to  define!  Our  question  is 

What  further  operations  on  CCS/CSP  terms  are  needed  so  that  protocols 
reducing  nonbisimularity  to  trace  distinguishability  become  definable? 

In  the  remainder  of  the  paper,  we  argue  that  bisimulation  cannot  be  reduced  to  a  trace 
congruence  with  respect  to  any  reasonably  structured  system  of  process  constructing  oper¬ 
ations.  The  implications  of  this  conclusion  are  discussed  in  the  final  Section  7. 

In  particular,  we  formulate  in  Section  3  a  general  notion  of  a  system  of  processes  given 
by  structured  rules  for  transitions  among  terms  with  guarded  recursion — a  GSOS  system. 
We  also  indicate  why  the  focus  on  guarded  recursion  is  both  necessary  and  appropriate. 
All  previously  formulated  systems  of  bisimulation-respecting  operations  are  definable  by 
GSOS’s.  Even  rules  with  negative  antecedents  are  allowed  in  GSOS’s.  On  the  other  hand, 
we  indicate  in  Section  4  that  any  of  the  obvious  further  relaxations  of  the  conditions 
defining  GSOS’s  can  result  in  systems  which  are  ill-defined  or  fail  to  respect  bisimulation. 
Thus,  we  believe  that  GSOS  definability  provides  a  generous  and  mathematically  invariant 
constraint  on  what  a  reasonably  structured  system  of  processes  might  be. 

Definition  1  Two  processes  are  GSOS  trace  congruent  iff  they  yield  the  same  traces  in 
all  GSOS  definable  contexts. 

Our  main  result  is  that  bisimulation — even  restricted  to  finite  trees — is  always  a  strict 
refinement  of  GSOS  trace  congruence.  Specifically,  we  develop  in  Section  5  a  modal  logical 
characterization  of  GSOS  trace  congruence  similar  to  the  characterization  of  bisimulation 
given  by  Hennessy  and  Milner  [15]  and  use  it  to  prove: 
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a. 
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A 

ab+aa 


aa+a(b+a)+ab 


Figure  4:  CSP  trace  congruent  but  not  GSOS  trace  congruent. 

Theorem  1  The  nonbisimular  trees  a(bc  4-  bd)  and  a(bc  4-  bd)  4-  abc  ( Figure  S)  are  GSOS 
trace  congruent. 

We  remark  that  GSOS  congruence  is  a  strict  refinement  of  CSP  congruence: 

Theorem  2  The  processes  aa  4-  ab  and  aa  +  ab  +  a(a  4-  b)  (see  Figure  4)  are  CSP  trace 
congruent  [10,  axiom  (D5),  p.  99]  but  not  GSOS  trace  congruent. 


Abramsky  [1]  independently  raised  the  question  of  how  to  test  distinguishability  of  non¬ 
bisimular  processes  and  formalized  the  operational  behavior  of  a  set  of  protocols  which  do 
capture  bisimulation.  In  Section  6  we  offer  a  similar  system  for  the  task,  slightly  improved 
in  certain  respects.  Our  thesis  that  no  reasonably  structured  system  can  capture  bisimu¬ 
lation  implies  that  both  these  systems  must  lack  some  important  structured  features.  We 
also  examine  the  nature  of  these  flaws  in  detail  in  Section  6. 


2  Trees  and  Modal  Formulas 

The  simplest  tree  consists  of  just  a  root  without  edges.  It  is  the  “successfully  stopped” 
process,  0.  If  a  is  an  action  and  P  is  a  tree,  then  aP  is  the  tree  with  a  fresh  root  and  a 
single  edge,  labeled  with  a,  from  its  root  to  the  root  of  P  (Figure  5).  The  intention  is  that 
aP  corresponds  to  the  process  which  performs  action  a  and  then  behaves  like  P.  Thus  a0  is 
the  tree  with  one  edge  labeled  a  corresponding  to  the  process  whose  only  behavior  is  to  do 
action  a  and  stop.  We  ambiguously  write  just  “a”  for  aO.  If  P  and  Q  are  synchronization 
trees,  let  P  +  Q  be  the  tree  obtained  by  identifying  the  roots  of  (disjoint  copies  of)  P  and 
Q  (Figure  6).  The  intention  is  that  P  +  Q  models  the  nondeterministic  process  which  can 
behave  like  either  P  or  Q. 
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Figure  5:  Tree  for  aP. 


Figure  6:  Tree  for  P  +  Q. 


This  definition  of  -f  and  0  explains  why  both  CCS  (branching)  and  CSP  (linear)  theories 
accept  the  familiar  axiom 

p  +  0  =  p .  (2) 

Since  trees  are  unordered,  both  theories  also  include  the  equally  familiar  axioms 

(P  +  ?)  +  r  =p  +  {q  +  r),  p  +  q  =  q  +  p •  (3) 

Now  we  note  that  the  tree  a  +  a  corresponds  intuitively  to  a  process  which  has  two  different 
ways  of  doing  action  a  and  stopping.  But  the  intuition  that  an  action  is  a  minimal  de¬ 
tectable  event  suggests  that  the  theory  should  disallow  detection  of  the  way  a  basic  event 
occurred — all  that  can  be  detected  is  the  occurrence  of  the  event  itself.  Thus  in  both  CSP 
and  CCS,  a  =  a  4-  a,  and  more  generally, 

p  =  p  +  p ,  (4) 


is  also  accepted  as  a  valid  axiom. 

The  “interactive”  protocol  defining  bisimulation  appears  in  many  of  the  references  and 
we  omit  it.  We  remark  that  two  finite  trees  are  bisimular  iff  they  are  provably  equal 
as  a  consequence  of  equations  (2)-(4).  For  our  purposes,  the  most  useful  formulation  of 
bisimulation  is  in  terms  of  Hennessy-Milner-logic  (HML)  formulas  [15]: 


Definition  2  An  HML  formula  is  given  by  the  following  grammar: 

V?  ::=  tt  |ff  |  (a)(p  |  \a)v  |  |  <pAip  . 

For  any  synchronization  tree  T,  the  satisfaction  relation,  T  |=  is  defined  as  usual  for 
modal  logic  and  Kripke  models  (cf.  [11],  [25],  [12],  [13],  or  [14]). 

A  fundamental  result  of  [15]  is  that  two  finitely  branching  synchronization  trees  are  bisim- 
ular  iff  they  satisfy  exactly  the  same  HML  formulas. 

In  fact,  both  Abramsky’s  and  our  operational  rules  in  Section  6  for  systems  where  bisim¬ 
ulation  coincides  with  trace  congruence  are  essentially  systems  for  calculating  whether  a 
computably  finitely  branching  synchronization  tree  satisfies  an  HML  formula. 

3  Guarded  Terms 

Synchronization  trees  defined  in  CCS  using  unguarded  recursion  may  be  infinitely  branch¬ 
ing,  corresponding  to  what  are  called  “unboundedly  nondeterministic”  processes.  Bisim¬ 
ulation  between  such  CCS-definable  trees  cannot — on  purely  recursion-theoretic  grounds 
based  on  degree  of  undecidability — match  trace  congruence  with  respect  to  any  set  of  ef¬ 
fective  operations  on  trees.  (Actually,  this  is  an  interesting  story  to  work  out  in  detail,  but 
we  save  that  for  another  paper.) 

The  high  degree  of  undecidability  of  bisimulation  arises  from  unbounded  nondeterminism. 
Unbounded  nondeterminism  is  a  source  of  other  theoretical  difficulties  as  well,  notably  that 
the  desired  operations  on  processes  are  not  continuous  with  respect  to  any  useful  known 
topology.  For  example,  there  are  simple  examples  of  synchronization  trees  whose  finite 
subtrees  from  the  root  are  identical,  but  which  are  nevertheless  not  bisimular.  For  this 
reason,  restrictions  are  generally  imposed  on  recursive  definitions  of  processes.  In  CCS, 
“guarded”  recursion  is  singled  out  as  attractive,  and  in  CSP  and  the  test-equivalence 
system  of  [10],  unguarded  recursions  are  treated  as  though  they  diverged  (with  an  infinite 
sequence  of  silent  moves).  The  essence  of  these  restrictions  is  to  ensure  that  definable  trees 
behave  like  computably  finitely  branching  trees,  i.e.,  there  is  an  effective  procedure  which, 
given  (a  term  denoting)  a  tree  node  M,  computes  the  finite  set  :  M  A  jv}. 

For  finitely  branching  trees,  trace  congruence  (including  infinite  traces)  coincides  with 
finite-trace  congruence,  and  as  we  noted  two  such  trees  are  bisimular  iff  they  satisfy  the 
same  set  of  HML  formulas.  Since  it  is  decidable  whether  a  computably  finitely  branching 
tree  satisfies  an  HML  formula,  it  follows  that  bisimulation  between  such  trees  is  at  most 
n?.  as  is  the  degree  of  trace  congruence  with  respect  to  effective  operations  on  such  trees. 
Thus,  on  recursion-theoretic  grounds,  finite-trace  congruence  with  respect  to  some  suitable 


set  of  operations  could  equal  bisimulation.  As  noted,  this  is  indeed  possible  as  we  show  in 
Section  6.  Nevertheless,  no  reasonably  structured  operational  system  can  do  the  job.  as 
we  now  explain  precisely. 

We  consider  theories  of  synchronization  trees  described  in  the  standard  way  by  algebraic 
terms  with  fixed  point  operations. 


Definition  3  Process  terms ,  M,  are  given  by  the  grammar: 

M  ::=  X  |  aM  |  op(Af, . . . ,  M)  |  fi xX.M 


(5) 


where  X  ranges  over  synchronization  tree  variables,  a  ranges  over  action  symbols,  and 
“op”  ranges  over  operation  symbols  (of  varying  arity).  M  is  guarded  iff,  for  each  subterm 
fix-Y.1V,  each  occurrence  of  X  in  N  is  within  the  scope  of  an  a-prefixing  operator. 


Note  that  all  terms  not  containing  fixed  points  are  guarded.  The  unary  operator  a(-)  is 
distinguished  from  the  other  operator  symbols  since  it  plays  a  special  role  in  the  definition 
of  guarded  terms.  It  will  be  required  to  have  the  same  meaning  in  all  GSOS’s,  namely 
a-prefixing. 


Definition  4  A  Structured  Transition  Rule  (STR)  is  a  rule  of  the  form: 

{Xi  ^  Yij  |  1  <  ;  <  m,}'=i,  {*,  t*  |  l  <j<  n.}^ 

op(Xu...,X,)  '  1=i_ 


M 


where  the  variables  are  all  distinct,  /  >  0  is  the  arity  of  op;  mt,  n,  >  0,  and  M  is  a  guarded 
term  whose  free  variables  are  contained  in  the  set  of  AVs  and  Yij's.  ( M  need  not  contain 
all  these  variables.)  The  symbol  op  is  called  the  principal  operator  of  the  rule. 

The  antecedents  of  the  form  X  —*  Y  are  called  positive ,  and  axe  satisfied  when  .Y  and 
Y  are  instantiated  with  processes  such  that  Y  is  an  a-child  of  JY’s  synchronization  tree 
(c/.Definition  7  below).  The  others,  of  the  form  X  ■£*,  are  called  negative ;  they  are  satisfied 
when  X  is  instantiated  by  a  process  with  no  a-children  at  its  root.  The  rule  is  positive  if 
all  the  antecedents  are  positive. 


Note  that  every  Xi  occurring  in  the  antecedent  of  an  STR  must  occur  as  an  argument  of 
the  principal  operator  in  the  consequent,  but  not  every  argument  of  the  principal  operator 
need  occur  in  the  antecedent. 


NWAUWKA 
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Definition  5  Fixed  point  rules  axe  of  the  form: 


M[X  :=  fxxX.M]  - 
fixXM  Ay 


where  M[X  :=  N]  denotes  substitution  of  N  for  X  in  M,  with  renaming  to  avoid  capture 
of  free  variables  in  N.  Guarded  fixed  point  rules  axe  fixed  point  rules  in  which  the  term 
fi xX.M  is  guarded. 


Many  of  our  results  are  unaffected  if  an  arbitrary  family  of  what  we  call  6-rules  of  the  form 


are  allowed,  involving  (a  possibly  uncountable  number)  of  constants  c,. 

All  GSOS’s  have  all  guarded  fixed  point  rules  (6),  and  so  these  are  not  mentioned  explicitly 
in  the  next  definition. 


Definition  6  A  GSOS  rule  system  is  given  by  a  finite  alphabet  of  actions  a,  a  finite 
number  of  STR’s,  and  an  arbitrary  set  of  6-rules.  There  must,  for  each  a,  be  a  unique  rule 
whose  consequent  is  of  the  form  aX  A  M,  and  this  rule  must  be 

aX  A  X  (7) 

Definition  7  An  instantiation,  e,  is  a  map  from  variables  to  guarded  terms.  If  P  is 
a  guarded  term,  then  P[e\  denotes  the  simultaneous  substitution  of  e(X)  for  each  free 
occurrence  of  X  in  P. 

Definition  8  A  system  of  binary  relations  A  on  guarded  terms,  indexed  by  actions  a, 
agrees  with  a  jet  of  rules  iff: 

•  Whenever  an  instantiation  by  e  of  the  antecedents  of  a  rule  is  true  of  the  relation , 
then  the  instantiation  of  the  consequent  by  e  is  true  as  well. 

•  Whenever  P  A  Q  is  true,  then  there  is  a  rule  r  and  an  instantiation  e  such  that 
P  A  Q  is  the  instantiation  of  the  consequent  of  r  by  e,  and  the  instantiations  of  the 
antecedents  of  r  by  e  are  true. 

Theorem  3  For  any  GSOS  system,  there  is  a  unique  system  of  arrow  relations  indexed 
by  actions  which  agrees  with  the  STR’s  of  the  GSOS  plus  the  guarded  fixed  point  rules  (6). 


Proof:  A  routine  structural  induction  and  slightly  less  routine  fixed  point  induction  on 
guarded  terms.  Details  omitted.  □ 


For  example,  Milner’s  SCCS  operators  [19]  are  defined  by  STR’s: 


XxX'  A4  YxY' 


The  simple  interleaving  product  of  CCS  is  given  by: 

x a  y  rAr 

X\X'  A  Y\X'  ’  X\X'^X\ Y 

Sequential  composition  of  processes,  may  (and  must)  be  defined  using  negative  rules: 

-r  A  Y  X'  A  Y',  {x  -  |  a  €  Ac.} 

X.X'^Y-X'  x-X'  Z  V 

Thus,  the  operational  rules  assigning  synchronization  trees  to  CCS/CSP/ACP/MlEJE 
terms  easily  fit  the  GSOS  framework. 

In  fact,  STR’s  go  beyond  the  kind  of  SOS  rules  needed  for  CCS  in  two  respects— use  of 
negation  and  use  of  copy ing.  Namely,  there  can  be  more  than  one  antecedent  about  the 
behavior  of  the  same  subprocess  in  am  STR.  For  example, 

A-  A  Y,X  4  Y' 
a-if-b(X)  A  a-if-b(F) 

involves  two  “copies”  of  process  X  in  the  antecedent.  Substituting  for  X  in  a-if-b(.Y  4-  b  i 
trace  distinguishes  the  two  trees  in  Theorem  2  (Figure  4).  This  example  also  shows  that 
GSOS  congruence  strictly  refines  Phillips  refusal  testing  congruence  [22]  which  he  was  led 
to  develop  by  considerations  similar  to  ours  amd  Abramsky’s.  Note  that  neither  recursion 
nor  negative  rules  were  needed  in  this  example.  De  Simone  [9]  shows  that  without  negation 
or  copying,  the  only  GSOS  definable  operators  are  already  CCS  definable. 
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4  Why  GSOS? 


Keeping  to  the  GSOS  discipline  provides  structural  induction  as  a  proof  technique,  as 
indicated  for  Theorem  3.  In  addition,  GSOS’s  guarantee: 

Theorem  4  If  a  set  of  6-rules  defines  a  set  of  computably  finitely  branching  trees,  then 
the  trees  definable  in  any  GSOS  system  with  these  6-rules  are  also  computably  finitely 
branching. 

Theorem  5  Bisimulation  is  a  congruence  with  respect  to  all  GSOS  contexts. 

There  are  many  technical  restrictions  in  our  definition  of  a  GSOS  rule,  and  it  is  natu¬ 
ral  to  ask  if  they  can  be  relaxed.  We  indicate  how  various  relaxations  may  break  the 
key  properties  of  GSOS  systems.  Note  that  some  systems  with  non-GSOS  rules  enjoy 
the  good  properties  of  GSOS  systems;  however,  this  is  not  immediate  from  the  syntactic 
specifications  of  these  systems.  We  maintain  that  GSOS’s  represent  essentially  the  most 
general  family  of  systems  satisfying  Theorems  3-5.  The  two  properties  which  non-GSOS 
rules  often  violate  are: 

1.  The  existence  of  a  unique  system  of  arrow  relations,  A,  agreeing  with  the  rules. 

2.  The  guarantee  that  bisimulation  is  a  congruence. 

The  disjointness  of  the  variables  on  the  right  and  left  sides  of  arrows  in  the  antecedent  is 
required  to  guarantee  the  existence  of  an  arrow  relation.  Consider  a  system  including  the 
three  operators  a,  /?,  and  7  defined  as  follows: 


X  Ay^Vt  Ay2 
a(X)  A  0 

X  A 

0{X)  A  0 
7  A  /3(or(7 )) 

It  is  not  hard  to  show  that  there  is  no  arrow  relation  which  agrees  with  these  rules.  In 
particular,  0(7)  can  move  iff  it  cannot  move. 


Other  ways  to  use  variables  for  pattern-matching  allow  us  to  distinguish  between  bisimular 
processes.  For  example,  the  following  rule  has  two  uses  of  Y. 

Xi  A  Y,  X2  A  Y 
6(XuX2)^  0 

The  context  6(a0,a-)  distinguishes  between  the  bisimular  stopped  processes  0  and  0  +  0. 

Other  forms  of  pattern-matching,  predictably,  fail  to  guarantee  preservation  of  bisimula¬ 
tion.  For  instance,  if  we  allow  the  left-hand  side  of  a  consequent  to  look  at  more  than  the 
first  operator  of  a  process,  we  can  have  the  rule 

C(0)  A  0 

which  again  gives  a  context  £(•)  which  distinguishes  between  0  and  0  +  0. 

5  Limited  Modal  Formulas 

Definition  9  Limited  modal  formulas  are  given  by  the  following  grammar: 

p  ::=  tt  |  ff  |  [a]ff  |  {a)p  \ipAp\ipVp. 

Two  trees  are  defined  to  be  limited  modal  equivalent  iff  they  satisfy  the  same  set  of  limited 
modal  formulas. 

That  is,  a  limited  modal  formula  is  an  HML  formula  with  a  very  restricted  use  of  the  [a] 
(necessity)  modality. 

Theorem  6  For  finitely  branching  synchronization  trees,  limited  modal  equivalence  coin¬ 
cides  with  GSOS  trace  congruence. 

Proof:  A  nontrivial  structural  and  fixed-point  induction,  which  is  omitted  from  the  pre¬ 
liminary  report.  □ 

6  Global  Testing  Semantics  of  Bisimulation 

Abramsky,  “aim[ing]  to  place  the  cards  on  the  table  as  a  basis  for  . .  .discussion,”  [1.  p. 
15],  develops  a  clear  system  of  operational  rules  whose  trace  congruence  coincides  with 
bisimulation  for  finitely  branching  trees  without  silent  actions.  By  Theorem  1,  this  system 
cannot  conform  to  the  GSOS  discipline.  Examining  it  in  detail,  we  find: 


1.  There  are  two  sorts  of  processes,  those  given  CCS-like  treatment  as  synchronization 
trees  and  other  “test”  processes  which  have  different  operations  defined  on  them. 
For  example,  test  processes  are  not  closed  under  recursive  definitions. 

2.  The  inductive  rules  defining  the  operational  semantics  of  test  processes  assign  tran¬ 
sitions  to  terms  which  must  pattern-match  on  more  than  their  outermost  operator. 
This  violates  the  GSOS  format  and  makes  it  unclear  whether  the  operations  respect 
bisimulation. 

3.  Indeed,  bisimulation  is  not  a  congruence  on  test  processes,  nor  are  bisimular  test 
processes  trace  congruent. 

4.  The  inductive  rules  defining  the  operational  semantics  of  test  processes  involve  neg¬ 
ative  antecedents.  This  makes  it  unclear  whether  the  transition  relation  is  even 
well-defined,  given  the  presence  of  non-GSOS  rules  in  the  system. 

5.  Finally,  to  define  the  operational  behavior  of  tests,  Abramsky  introduces  rule-schemes 
which  he  describes  as  involving  global  testing.  Namely,  if  T  is  a  tree,  let  Sa{T)  — 
{r,|T  A  T,|.  Then  rule  schemes  of  the  following  form  appear: 


6«(T)  =  {Ti,...,Tn} 
“3 (T)  A  VJU  3(Xj) 


(8) 


Note  that  the  number  of  antecedents  implicitly  appearing  in  such  global- testing  rules 
is  unbounded. 


Items  1,  2,  and  3  can  be  repaired  in  an  ad  hoc  way.  A  guarded  (pun  intended)  use 
of  negative  antecedents  can,  as  already  demonstrated  in  Section  4,  be  admitted  in  well- 
structured  systems.  We  now  exhibit  our  own  variation  of  Abramsky’s  system  as  a  modest 
improvement  which  meets  concerns  1-4.  The  global- testing  rules  remain,  however,  as  an 
objectionable  feature. 

Global  testing  is  objectionable  because,  in  general,  bisimulation  may  not  be  a  congruence 
with  respect  to  operations  definable  with  global  testing — although  it  is  a  congruence  for 
our  particular  system.  Indeed  it  is  undecidable  to  determine  whether  bisimulation  is  a 
congruence  given  a  finite  set  of  GSOS-plus-global-testing  rules.  Even  when  bisimulation  is 
a  congruence,  merely  adding  positive  STRs  may  destroy  the  congruence. 

Let  S  be  any  GSOS  system.  We  will  extend  S  to  a  new  system  S,  involving  global-testing  as 
well  as  GSOS  rules,  in  which  trace  congruence  coincides  with  bisimulation.  The  extension 
is  conservative,  namely,  if  P  is  a  process  in  $ ,  then  the  behavior  of  P  in  $  is  precisely  that 
of  P  in  S. 


and(-,-) 

P«»a(-) 
Sat(-,  •) 
•A- 


false 

or(‘>  ’) 
neca(-) 


Figure  7:  Operators  for  Global- Testing  System 


The  actions  of  §  are  the  actions  of  Sf  plus  {e,  d,  t,f ,  b\,  6j, . . . ,  &„}  where  n  is  a  suitably 
large  number  chosen  below.  The  operations  of  S  are  those  of  S ,  together  with  the  operators 
shown  in  Figure  7 


The  first  six  operators  are  the  formula-representing  operators;  there  is  a  pos a(P)  and 
nectt(P)  for  each  action  a  of  S. 


If  F  codes  a  HML  formula  <p,  then  Sat (P,  F)  will  compute  whether  or  not  P  satisfies 
Sat (P,  F)  takes  a  f-step  if  F  codes  tt,  and  an  /-step  if  F  codes  ff;  otherwise  it  makes  an 
e-step,  doing  one  step  of  the  computation  trying  to  see  if  P  satisfies  F,  and  produces  an  e. 


Finally,  the  binary  infix  operators  •  A  •  and  •  V  •  are  are  the  computational  boolean  op¬ 
erators,  which  evaluate  the  conjunctions  and  disjunctions  arising  in  the  evaluation  of 
Sat(P,  P). 


The  system  codes  HML  formulas  into  bisimulation  trees  in  the  following  way.  Let  the 
bit  pattern  of  F ,  bitpat(F),  be  the  vector  (vi, . . . ,  t/n),  where  r*  =  0  if  F  A  and  v,  =  1 
otherwise.  Choose  n  large  enough  so  that  each  connective  of  HML  over  S  can  be  coded 
as  a  distinct  bit  pattern;  let  code(tr)  be  the  bit  vector  coding  the  connective  a.  (The 
connectives  are  tt,  ff,  A,  V,  and  (a)  and  [a]  for  each  action  a  of  S.  Note  that  the  system 
is  slightly  self-referential:  there  are  (6,)  and  [&<]  modalities,  coded  by  the  bit  patterns  of 
the  actions  6,  themselves.  It  is  clearly  possible  to  choose  n  so  large  that  all  the  necessary 
modalities  may  be  coded  as  bit  patterns.)  To  extract  a  HML  formula  from  a  process  F. 
we  let  the  bit  pattern  of  F  give  the  leading  connective  of  <p;  we  write  F  codes  a  (where  a  is 
a  connective)  for  bitpat(F)  =  code(a).  Note  that  F  codes  a  may  be  expressed  as  a  vector 


of  FA  and  F  A  conditions,  and  is  meaningful  in  the  antecedent  of  a  GSOS  rule. 


The  arguments,  if  any,  of  the  main  connective  of  will  be  represented  by  the  children  of 
F  under  d.  For  example,  the  process  coding  <p2  is  the  following.  The  root  can  take 


*F  is  a  metavariable  ranging  over  processes  which  we  intend  to  be  formulas.  This  is  mnemonic  only;  F 
may  be  instantiated  by  any  process.  Indeed,  this  fact  forces  us  to  include  many  of  the  non-obvious  features 
of  the  system. 


t 

$ 

$ 


K 


*s 


I 


bi-steps  in  the  bit  pattern  for  A.  It  also  has  two  ^-descendants  Pi  and  P2,  which  represent 
and  (p2- 

There  is  an  obvious  translation  >-*  <pm  of  HML  formulas  into  processes.  For  example, 

(<(0i  A  ^2)*  =  and(y>*,<^) 

«a)v»)*  =  P°sa(v?') 

The  satisfaction  operator  Sat(P,  F)  will  attempt  to  interpret  F  as  a  formula  of  HML,  as 
described  above.  Sat(P,  F)  will  produce  actions  e  until  it  decides  whether  or  not  P  satisfies 
the  formula  coded  by  F;  it  then  produces  an  action,  t  or  /  as  appropriate.  If  F  does  not 
code  a  formula,  Sat(P,  F)  may  die  without  producing  a  t  or  /answer,  or  it  may  run  forever. 
As  it  computes,  it  will  make  use  of  the  computational  Boolean  operators  A  and  V .  For 
example,  we  will  have  the  behavior: 

Sat(P,((^iAv?2)")  A  Sat(P,<^)  ASat(P,v?2)  (9) 

The  computational  “and”  and  “or,”  P  A  Q  and  P  V  Q,  combine  the  e,  t,  and  /  actions 
produced  by  Sat(P, F).  P  AQ  runs  P  and  Q  synchronously  until  both  have  finished 
producing  e’s;  then  PAQ  produces  the  conjunction  of  the  truth  signals  produced  by  P 
and  Q.  PVQ  behaves  similarly. 

The  system  has  some  technical  properties  to  facilitate  the  proof  that  bisimulation  is  a 
congruence.  We  call  a  process  crudely  Boolean  if  its  synchronization  tree  consists  of  a 
single  (finite  or  infinite)  trace,  with  all  actions  before  the  final  step  being  e’s,  and  the 
final  step  labeled  either  e,  t,  or  /.  The  proofs  of  congruence  depend  on  having  certain 
processes  be  crudely  Boolean.  P  A  Q  and  PVQ  are  crudely  Boolean  whenever  P  and 
Q  are;  and  furthermore,  both  operators  are  associative,  commutative,  and  idempotent 
on  crudely  Boolean  processes.  Sat(P,  P)  is  a  crude  Boolean  process  for  all  P  and  p,  in 
particular  for  those  P  which  are  not  the  translations  of  modal  formulas. 

It  is  also  necessary  that  an  P  have  a  unique  sequence  of  arguments  to  its  coded  main 
connective.  S  follows  the  convention  that  the  d- descendants  of  a  process  are  its  arguments. 
However,  the  S  operators  in  S  will  allow  us  to  build  processes  which  have  too  many  or  too 
few  d-descendants;  for  example, 

and(P0,  Pi)  +  and(P2,  P3) 

codes  an  ill-formed  conjunction  with  four  d-children.  We  will  use  global  testing  to  make 
sure  the  rules  use  all  the  d-descendants  as  arguments.  (Choosing,  say,  the  first  two  de¬ 
scendants  would  lead  to  distinctions  between  bisimular  processes,  for  bisimular  processes 
may  list  their  descendants  in  different  orders.)  The  simple  rule  for  conjunctions  (equation 


9)  gives  the  desired  behavior  on  well-formed  conjunctions;  in  general,  we  will  treat  all  the 
d- children  of  a  conjunction  as  conjuncts. 

F  codes  A,  Children(F,  d )  =  (Ft, . . . ,  Fn) 

Sat (P,F)  A  A^Sat (P,F<) 

where  A"=1  is  an  iterated  A,  and  by  convention  A°=1  X,  is  the  process  tO.  Similarly, 
we  treat  all  the  d-children  of  a  disjunction  as  disjuncts.  A  well-formed  coded  modality 
((a)v?)*  or  ([a]<^)*»  has  only  one  d-descendant.  Again,  to  avoid  distinguishing  bisimular 
processes  representing  ill-formed  formulas,  the  rules  cannot  ignore  extra  d-descendants;  we 
use  the  disjunction  of  all  the  d-descendants  (cf.  rules  (10),  (11)),  so  that  posaFi  -|-  posaF2 
is  used  in  much  the  same  way  as  posa(or(Fi,  F2)).  The  choice  of  disjunction  was  arbitrary; 
conjunction  would  have  worked  as  well. 

Note  also  that  we  are  using  an  ordered  global  testing  rules  to  make  Sat(P,F)  have  only  a 
single  child.  We  fix  some  order  c.g.,  lexicographic  order  on  the  children  of  each  process 
when  instantiating  the  antecedent  of  a  global  testing  rule. 

The  full  set  of  rules  for  this  system  is; 

For  each  connective  a  of  HML  over  S,  index  i  such  that  the  itk  bit  of  code(cr)  is  1,  operator 
op  corresponding  to  <7,  and  vector  X  of  length  equal  to  the  arity  of  op, 

op(X)  4  0 

In  addition, 

and(P,  Q)  4  P 
and (P,Q)  4  Q 
or(F,  Q)  4  P 
°r(F,  Q)  4  Q 
pos  a(P)  4  p 
nec  a(P)  4  P 

The  rules  for  Sat(P,  F)  are  given  in  Figure  8.  Recall  that  the  expression  “P  codes  a"  is 
an  abbreviation  for  a  sequence  of  P  4  P,  and  P  4  tests,  and  therefore  is  acceptable  in 
the  antecedent  of  a  GSOS  rule.  Also  recall  that  we  are  treating  multiple  arguments  of  a 
modality  as  their  disjunction. 

The  computational  Boolean  operators  are  largely  synchronous,  to  make  them  idempotent, 
associative,  and  commutative  on  crudely  Boolean  processes. 


F  codes  tt 
Sat(P,  f)40 

F  codes  ff 

Sat (P,  F)  4  0 


F  codes  A,  Children(F,  d)  =  (Fi, . . . ,  Fn) 
Sat(F,F)  -^  A?=1Sat(P,F) 


F  codes  V,  Children(F ,  d)  =  (Ft,  ■ . . ,  F„) 

Sat(P,  F)  A  V?=iSat(P,F) 


F  codes  (a),  Children(F,  d)  =  (Fi, . . . ,  F„),  Children(P,  a)  =  (Pi, ... ,  Pm) 

Sat(P,F)  A  vr=i(V?*iSat(Pi,F)) 


(10) 


F  [a],  Childrcn(F,  d)  =  (Ft, . . . ,  Fn),  Children(P,  a)  =  (Pi,...,  Pm)  , 

Sat(P ,  F)  A  A^:I(v,n=lSat(Pi,F))  U  ' 


Figure  8:  Global-testing  rules  capturing  bisimulation. 


c 


p\ 


PVQ  Ap'V<?\ 


Q  -^Q' 

P  A  <?  A  P'  A  Q' 


PAP',  (?A 

PVQAFVQ,  PAQAp'AQ 

P~>  Q^Q' 

PVQ-?*  PVQ',  PAQAPAQ' 

For  a',  bf  6  {*,/},  let  d  be  their  conjunction  and  df  their  disjunction.  We  have  the  rules 

PXP',  Q^Q' 

paq-^o,  ?vg4 o 

The  following  properties  of  5  show  that  it  is  indeed  what  we  want: 

•  There  is  a  unique  arrow  relation  compatible  with  these  rules. 

•  The  synchronization  tree  of  each  ^-process  is  computable  relative  to  5,  and  finitely 
branching  if  all  5-processes  are  finitely  branching. 

•  For  any  formula  of  Hennessy-Milner  logic  over  5  and  process  P  of  5,  the  process 

Sat(P,  ¥>*)  has  a  trace  ending  in  t  iff  P  So,  trace  congruence  refines  bisimulation. 

•  Bisimulation  is  a  congruence  relation  with  respect  to  all  $  operators. 

•  Hence,  bisimulation  coincides  with  trace  congruence  for  this  system. 


The  difficult  property  to  verify  is  that  bisimulation  is  a  congruence.  A  sufficient  condition 
to  ensure  that  a  system  with  global  testing  respects  bisimulation  is  that  the  iterated  oper¬ 
ators  in  the  consequents  of  global  testing  rules,  in  this  case  A  and  V ,  are  commutative, 
associative,  and  idempotent.  In  our  case,  commutativity  follows  routinely  from  symmetries 
in  the  rules.  In  our  system,  A  and  V  are  also  idempotent  and  associative  on  crudely 
Boolean  processes,  which  is  all  we  need  for  the  proof.  Our  rules  were  contrived  to  make 
this  fact  easily  verified. 


1.  Trace  Equivalence 

2.  Trace  Congruence  (CSP) 

3.  Refusal  Testing  ([22]) 

4.  GSOS  Congruence  (Definition  [?]) 

5.  Bisimulation  (CCS) 

Figure  9:  Successively  Finer  Equivalences  on  Processes 

7  Conclusions 

Should  bisimulation  play  a  significant  role  in  process  theory?  It  has  many  nice  properties, 
a  rich  theory,  and  a  tested  methodology  for  verifying  correctness  of  genuine,  nontrivial 
protocols.  Nevertheless,  we  find  unconvincing  the  arguments  for  taking  bisimulation  as 
a  primitive  notion.  We  maintain  that  computational  distinctions  should  be  made  only 
because  of  observable  differences  “at  the  terminal” .  Global  testing  systems  which  reduce 
bisimulation  to  such  observations  do  not  offer  what  we  regard  as  a  reasonable  framework 
for  defining  operations  on  processes.  Of  course,  the  most  persuasive  pragmatic  argument 
against  bisimulation  would  be  an  independently  interesting  concurrent  protocol  verifiable 
using  a  methodology  based  on  GSOS  trace  congruence  but  not  even  correct  from  the 
bisimulation  view.  Such  an  argument  remains  to  be  elaborated. 

In  any  case,  the  development  here  clarifies  the  point  of  keeping  to  a  GSOS  discipline  in 
specifying  process  behavior.  It  also  motivates  further  investigation  of  a  new  congruence, 
namely  GSOS  trace  congruence,  which  is  finer  than  CSP  or  refusal  testing  congruence 
but  coarser  than  bisimulation  (cf  Figure  9).  Particularly  noteworthy  is  the  problem  of 
axiomatizing  the  equational  theory  of  finite  trees  with  the  operations  +  and  a-prefixing 
under  GSOS  congruence.5 
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